JunOS configuration analyzer to find security misconfigurations and vulnerabilities.
Aegis – is a Juniper configuration audit tool that inspects JunOS systems for vulnerabilities and security misconfigurations. Its main feature is that Aegis only reads the configuration, performing security analysis without running exploits, brute force attacks, or other external actions.
Aegis is suitable for all JunOS-based equipment; it is not locked to specific device models such as QFX, MX, and others.
This tool is designed specifically for security engineers and network engineers to assess the security level of their own Juniper equipment. Before using Aegis, you must have special permissions to analyze configurations. You must also ensure that using this tool does not violate the local security policy of the organization where the equipment is located. The author of the tool is not responsible for any incorrect or illegal use of the tool.
Aegis is not a tool for conducting attacks and does not include brute force, vulnerability exploitation, or any other penetration testing behavior.
Aegis performs a comprehensive security audit of JunOS configurations with an advanced, object-oriented engine:
- Security Risk Scoring Engine: Aggregates findings from all audit modules to calculate a total score (out of 100), assigning an overall risk rating (Excellent, Good, Moderate, Poor, Critical) based on the severity of misconfigurations.
- Compliance Mapping: Automatically links findings to recognized security frameworks like CIS, NIST 800-53, and DISA STIG, providing actionable remediation commands.
- Flexible Reporting Formats: Output your audit results in traditional terminal format, structured JSON for SIEM integrations, or professional standalone HTML reports.
It continues to offer dedicated audit modules:
- System Information: Hostname, version, root password checks.
- Users Enumeration: UIDs, user classes, password hash strength, inactive/default accounts.
- Login Security Assessment: Retry policies, password lifecycle enforcement, login banners.
- AAA: Authentication order, RADIUS/TACACS+ secrets, accounting, and syslog configuration.
- Checking Management Interfaces: Firewall filters, exposed services, control plane (
lo0) protection. - Remote Access Configuration: SSH algorithms, TCP forwarding, Telnet, HTTP/HTTPS web management, NETCONF.
- CVE Search Module: NVD-based vulnerability mapping for specific JunOS versions.
Starting with Python 3.11 and Debian-based systems, direct calls to pip install are prohibited due to the Externally Managed Environment (PEP 668) policy.
This is necessary to avoid package conflicts. So Aegis is installed either via pipx or using venv
:~$ sudo apt install pipx
:~$ pipx ensurepath
:~$ git clone https://github.com/ellay21/Aegis
:~$ cd Aegis
:~/Aegis$ pipx install .
:~/Aegis$ aegis -hIf pipx is unavailable, you can install Aegis manually in a virtual environment:
:~$ git clone https://github.com/ellay21/Aegis
:~$ cd Aegis
:~/Aegis$ python3 -m venv venv
:~/Aegis$ source venv/bin/activate
(venv):~/Aegis$ pip install .
(venv):~/Aegis$ aegis -hAegis – this is a JunOS configuration analysis tool that works as an XML parser for configuration representations. JunOS supports several configuration display formats, but the XML variant is the most convenient for analyzing the configuration structure.
The tool has a help function, so all commands and parameters can be viewed using the -h flag:
:~$ aegis -h
:~$ aegis mode -h
:~$ aegis cve -hAegis supports subcommand-specific help (e.g.,
mode hot,cve cold) with custom descriptions of arguments and examples.
In this mode, the tool connects to JunOS remotely using the SSH protocol, using the netmiko library.
It obtains the configuration via the show configuration | display xml | no-more command and performs a live configuration audit.
Two authentication methods are supported:
- Password authentication;
- SSH key-based authentication.
The password and passphrase for the SSH key are requested via getpass, which ensures that they are entered securely without being displayed on the screen or stored in memory.
:~$ aegis mode hot 192.168.0.105 memphis
[*] Mode: Hot
Target Device: 192.168.0.105
Transport: SSH
[?] SSH password for memphis@192.168.0.105:
[+] SSH connection successful: memphis@192.168.0.105
[*] Extracting system configurationAuthentication using the
memphisaccount password
:~$ aegis mode hot 192.168.0.105 ellay ~/.ssh/jun_ellay_cf26598
[*] Mode: Hot
Target Device: 192.168.0.105
Transport: SSH
[?] Passphrase for key /home/ellay/.ssh/jun_ellay_cf26598 (leave empty if none):
[+] SSH connection successful: ellay@192.168.0.105
[*] Extracting system configurationAuthentication using the
ellayaccount SSH key
After connecting, Aegis will receive the configuration, analyze it, and generate a security report.
To use Aegis, all you need is an account with RO (read-only) privileges, which prevents the tool from making any changes to the JunOS hardware configuration.
In this mode, Aegis analyzes the local JunOS configuration XML file:
:~$ aegis mode cold SW1.xml
[*] Mode: Cold
Input File: SW1.xml
File Size: 9.3 KB
[*] Performing configuration security analysisNext, Aegis parses the configuration, extracts the JunOS version, and performs all internal checks similar to hot mode.
Cold mode is particularly useful for audit and compliance teams working with archived configurations or without network access to equipment.
You can generate reports in multiple formats using the --format flag:
- Terminal (Default): Color-coded text output in your CLI.
aegis mode cold SW1.xml --format terminal
- JSON: Structured JSON output for programmatic integration.
aegis mode cold SW1.xml --format json
- HTML: Generates an interactive, standalone HTML dashboard.
aegis mode cold SW1.xml --format html
In this mode, the tool works as a vulnerability parser based on CVE, matching JunOS versions with known vulnerabilities published in NVD. This allows you to quickly identify potential vulnerabilities associated with the version of the system you are using.
3 search modes are supported:
-
CVE Hot Mode (SSH)
The tool connects to the device, extracts the JunOS version, and checks it against the CVE database:
:~$ aegis cve hot 192.168.0.105 memphis -
CVE Cold Mode (XML)
You can specify a saved configuration or a file containing only the line with the JunOS version:
:~$ aegis cve cold SW1.xml -
Checking any version
You can check absolutely any version of JunOS you want:
:~$ aegis cve version 24.4R1.9
Demonstration of Juniper equipment configuration analysis. Cold mode is used.
:~$ uv run python aegis.py mode cold test_config.xml [*] Mode: Cold Input File: test_config.xml File Size: 1.7 KB [*] Performing configuration security analysis [*] System Information Device Hostname: JuniperSwitch Installed JunOS Version: 25.2R1.9 Last Commit by: root Last Commit Time: 2025-10-13 13:15:24 UTC Root Password: configured [*] Users Enumeration [*] ellay UID: 2001 Class: super-user Password: none SSH Keys: total=1 (cf26598=1) [!] SSH-only access — ensure keys are from trusted sources. [!] Login class 'super-user' not defined or has no restrictions. [*] memphis UID: 2000 Class: super-user Password: present Hash: SHA-512 ($6) SSH Keys: total=0 [!] Login class 'super-user' not defined or has no restrictions. [*] Login Security Assessment [*] Retry Options Tries before disconnect: 3 Backoff threshold: 3 Backoff factor: 5 Minimum time: 20 sec Lockout period: 300 sec [*] Password Policy Minimum length: 12 Maximum length: 32 Maximum lifetime: 90 days [!] Very long maximum lifetime — consider forcing periodic rotation. Minimum changes: 2 Minimum reuse distance: 5 Change type: character-sets [*] Login Banners Login announcement: set Login message: set [!] Login announcement present — ensure it contains legal notice only. [!] MOTD message set — review content for sensitive information. [*] Authentication, Authorization & Accounting (AAA) [*] Authentication Order Order: password [!] Only local authentication is configured. [!] No external AAA methods are used. [*] RADIUS Servers Configured: No [*] TACACS+ Servers Configured: No [*] Accounting Configured: No [!] AAA accounting is not configured. [!] User logins and actions are not being logged. [*] Syslog Auditing for AAA Syslog Config: present File: interactive-commands File: messages [*] Checking Management Interfaces [*] fxp0 Input Filter: none [!] No firewall filter applied — interface exposed to unrestricted access. [*] Control Plane (lo0) Input Filter: none Allowed Sources: none (unrestricted) [!] No input ACL applied to lo0 — control plane traffic unrestricted. [!] Apply input ACL to restrict SSH/HTTPS to trusted sources. [+] Checking the Remote Access Configuration [*] SSH Settings Enabled: Yes SFTP Server: disabled Protocol Version: v2 Root Login: allow [!] Root login is allowed over SSH. Password Authentication: enabled [!] Password-based authentication is enabled. TCP Forwarding: disabled (default) Idle Timeout: 300 seconds Alive Count Max: 3 Session Limit: 10 Rate Limit: 5 connections/min Max Pre-Auth Packets: 5000 [!] High SSH pre-auth packet limit (5000) — consider lowering it. Max Sessions per Connection: 50 [!] High session-per-connection limit (50) — restrict if unnecessary. Ciphers / MACs / KEX: Ciphers: aes128-cbc, aes256-cbc, 3des-cbc; MACs: hmac-md5, hmac-sha1; KEX: dh-group1-sha1, dh-group14-sha1, group-exchange-sha1 [!] Weak SSH algorithms detected: 3des-cbc, aes128-cbc, aes256-cbc, dh-group1-sha1, dh-group14-sha1, group-exchange-sha1, hmac-md5, hmac-sha1 [*] Telnet Enabled: No [*] Web Management HTTP: enabled [!] HTTP access is enabled — avoid plain-text management connections. HTTPS: enabled [*] NETCONF Enabled over SSH: No [*] Configuration security analysis completed [*] Tip: Use "aegis cve version 25.2R1.9" to check for known vulnerabilities
Demonstration of CVE search for JunOS version 24.4R1.9
:~$ aegis cve version 24.4R1.9 CRIT: 0 | HIGH: 4 | MED: 10 | LOW: 0 | UNK: 0 CVE ID SEV CVSS PUBLISHED CVE-2025-30661 HIGH 7.3 2025-07-11 CVE-2025-52954 HIGH 7.8 2025-07-11 CVE-2025-59964 HIGH 7.5 2025-10-09 CVE-2025-60004 HIGH 7.5 2025-10-09 CVE-2025-52949 MED 6.5 2025-07-11 CVE-2025-52951 MED 5.8 2025-07-11 CVE-2025-52953 MED 6.5 2025-07-11 CVE-2025-52963 MED 5.5 2025-07-11 CVE-2025-52985 MED 5.3 2025-07-11 CVE-2025-52986 MED 5.5 2025-07-11 CVE-2025-52989 MED 5.1 2025-07-11 CVE-2025-52961 MED 6.5 2025-10-09 CVE-2025-60006 MED 5.3 2025-10-09 CVE-2025-60010 MED 5.4 2025-10-09
Copyright (c) 2025 Mesud. This project is licensed under the MIT License.
This project is not affiliated with or endorsed by Juniper Networks, Inc.
All Juniper trademarks and product names are the property of their respective owners.
- Add network protocol inspection, routing, redundancy, and others;
- Add link-layer security checks for Juniper switches
If you have any suggestions or find any bugs, feel free to create issues in the repository.


